1 / 33

A Practical Approach to Advanced Threat Detection and Prevention

A Practical Approach to Advanced Threat Detection and Prevention. Title. Agenda. The Palo Alto Networks approach to threat prevention Zero-day exploit detection with WildFire and PAN-OS 6.0 The rise of mobile malware and attacks on virtualized infrastructure

danyl
Download Presentation

A Practical Approach to Advanced Threat Detection and Prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Practical Approach to Advanced Threat Detection and Prevention Title

  2. Agenda • The Palo Alto Networks approach to threat prevention • Zero-day exploit detection with WildFire and PAN-OS 6.0 • The rise of mobile malware and attacks on virtualized infrastructure • WildFire Appliance (WF-500) sizing and deployment • 3rd party integration with WildFire • Passive DNS and DNS sinkholing

  3. Advanced threat requires a solution, not point products Protections Reduce the attack surface Detect the unknown Create protections 1 2 3 • Whitelist applications or block high-risk apps • Block known viruses, exploits • Block commonly exploited file types • Analysis of all application traffic • SSL decryption • WildFire sandboxing of exploitive files • Detection and blocking of C&C via: • Bad domains in DNS traffic • URLs (PAN-DB) • C&C signatures (anti-spyware) Client Exploit Command/Control Known viruses and exploits EXE, Java, .LNK, DLL DNS HTTP High-risk applications URL / C&C SSL Failed attempts Successful spear-phishing email Post-compromise activity

  4. Using application control against advanced threats

  5. Example 1: Self-updating malware • Repeated pattern of DNS, HTTP, and unknown traffic • The unknown proved to be the most important traffic

  6. A closer look at the unknown session… Unknown traffic is frequently caused by malware using custom encryption, proprietary protocols or file transfers over raw sockets

  7. Example 2: Data exfiltration over DNS • Unknown traffic traversing the DNS port • HTTP using registered/ephemeral ports

  8. Well, Wireshark thinks it’s DNS, so… It is essential to control by application, rather than by port

  9. Other examples of DNS tunneling • tcp-over-dns • dns2tcp • Iodine • Heyoka • OzymanDNS • NSTX Takes advantage of recursive queries to pass encapsulated TCP messages to/from a remote DNS server

  10. What’s new in WildFire™

  11. What’s new in WildFire • Support for additional file types and zero-day exploit detection • Support for multi-OS analysis • Reporting improvements 0-day Android malware 0-day Windows malware 0-day exploits • PAN-OS embedded reports • Report incorrect verdict • Manual malware submission (WF-500) • Static analysis, mutexes, services, register key values, etc.

  12. WildFire Subscription in PAN-OS 6.0 *APK analysis and WildFire API not yet available on WF-500

  13. Malware discovered by WildFire per week • PDF/Office/Java are lower in numbers compared to EXE, but when they hit, it is bad news! • EXE extremely high in count due to lower barrier to entry and ease of use of packers • PDF/Office commonly used in targeted spear-phishing emails • Java commonly used in drive-by download exploits

  14. The emerging mobile malware landscape

  15. The mobile malware problem • Soft target • Many vulnerabilities on older versions of Android (“Beware of employees’ cheap Android phones”, NW 2/21/14) • “Users are 3 times more likely to succumb to phishing attacks on their phones than desktop computes” (Aberdeen Group), and “90% of respondents would not open a suspicious file on a PC, whereas only 60% of tablet and 56% of smartphone users would exercise the same caution” (Symantec study) • Powerful platform • Data on handset at risk, but so is the rest of the corporate network • Mobile devices are PCs on the network – any attack launched from a compromised PC can theoretically be launched from an Android

  16. Mobile malware in use by APT • First known use of APK attachments in APT spear-phishing emails from Chinese actor groups • Email sent March 24th 2013 to Uyghur activists

  17. Click the app and… • Contacts (stored both on the phone and the SIM card) • Call logs • SMS messages • Geo-location • Phone data (phone number, OS version, phone model, SDK version) This is what you see… While this is stolen…

  18. Attacker’s C2 server Web-based C2 Control Panel Remote Desktop

  19. Why focus on APK? • Nearly 100% of all new mobile malware targets Android • Contributing factors: • Large global market share • Slow rate of OS updates on existing platforms • Very easy to run arbitrary software on Android (no jailbreak required) • Many Android app stores with little-to-no quality control Source: forbes.com (3/24/2014)

  20. Current popular mobile malware techniques • Coaxing the download • Mobile malware attached to spear-phishing emails to lure an installation • Masquerading as popular apps (sometimes as “free” versions of non-free software) • Abusing user ignorance • Mobile malware asks for many permissions, knowing user will quickly click-through (similar to SSL click-through problem) • Mobile malware asks for the ability to install additional applications, which is equivalent to giving near-total permission to the malware • Causing mayhem • Data theft (contacts, email, data) • Espionage (audio/video recording, location) • Financial fraud (banking credential theft, SMS scams)

  21. Detect mobile malware on the network and the endpoint • Palo Alto Networks solution offers three opportunities to detect mobile malware • Antivirus APK signatures detects the download of known Android malware over the network • WildFire detects the download of unknown Android malware over the network • GlobalProtect MSM detects presence of known malware already on the device Content WildFire TM GlobalProtect MSM Unknown APK upload to WildFire Detect presence of known malware on endpoint Detect download of known malware Detect download of unknown malware GlobalProtect Gateway

  22. WildFire Appliance (WF-500) • Enables a private cloud deployment of WildFire • Preferred choice for sensitive networks where files cannot leave the local network for dynamic analysis • Architecturally equivalent to public cloud deployment TM WildFire WildFire cloud or appliance WildFire Approach APT Add-on Approach Web Sandbox Email Sandbox File share Sandbox Manual analysis Central manager

  23. WF-500 Sizing • WildFire Appliance (WF-500) is sized to meet analysis demands of large networks • Firewalls analyze millions of sessions • WF-500 statically prescreens most files • Remainder of files are dynamically analyzed • Tip for accurate sizing prediction – use the file blocking profile • All executables, Java, and APK files are sandboxed • PDF and Office documents are “pre-screened” using static analysis • About 10-20% make it to dynamic analysis Ingress traffic All sessions carrying file transfers Millions  Known malware blocked Unknown files sent to WildFire Requires dynamic analysis Hundreds 

  24. Threats facing virtualized environments

  25. New Passive DNS Monitoring • Passive DNS sensors collect non-recursive DNS queries performed by local DNS • Anonymous (no client IPs) • Low data rate (usually up to 1 MB per minute at most) • Builds large database of domain resolution history, including all resource record types (A, AAAA, MX, NS, TXT, etc) • Malicious domains can be “predicted” based on variety of signals: • NX  A or A  NX • Shared known bad IP • Shared known bad NS • Name heuristics such as character randomness, domain within a domain, etc. • Malicious domains added daily to DNS signature set in Anti-spyware profile

  26. Configuring Passive DNS • Passive DNS is enabled via the anti-spyware profile:

  27. New local DNS sinkholing • Discover and confirm compromised hosts via DNS • Trace back to the actual machine without client DNS visibility • Safely block malicious DNS queries and redirect to sinkhole for intel collection Malicious DNS / C2 Where is badguy.com? Local DNS Sinkhole 10.0.1.201 Compromised host badguy.com = 10.0.1.201 Command-and-control traffic

  28. Integrating network and host indicators

  29. How it works Clients running agents WildFire TM WildFire forensics (via WildFire API) Samples 4 1 WildFire logs WildFire logs (via device mgmt API) 2 3 Bit9Central Manager 5 • Interrogations using host-based indicators of compromise • Whitelist/blacklisting by file hash

  30. Splunk App for Palo Alto Networks

  31. Integrating network and host indicators

More Related